[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 09/18] xsm, argo: XSM control for argo register; add argo_mac bootparam
XSM hooks implement distinct permissions for these two distinct cases of Argo ring registration: * Single source: registering a ring for communication to receive messages from a specified single other domain. Default policy: allow. * Any source: registering a ring for communication to receive messages from any, or all, other domains (ie. wildcard). Default policy: deny, with runtime policy configuration via new bootparam. The reason why the default for wildcard rings is 'deny' is that there is currently no means other than XSM to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. Using XSM at least allows per-domain control over access to the send permission, to limit communication to domains that can be trusted. Since denying access to any-sender rings unless a flask XSM policy is active will prevent many users from using a key Argo feature, also introduce a bootparam that can override this constraint: "argo_mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. Modifies the signature of core XSM hook functions in order to apply 'const' to arguments, needed in order for 'const' to be accepted in signature of functions that invoke them. Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> --- v1 feedback: replace use of strncmp with strcmp v1 feedback #16 Jan: apply const to function signatures v1 feedback #14 Jan: add blank line before return in parse_argo_mac_param xen/common/argo.c | 16 ++++++++++++++++ xen/include/xsm/dummy.h | 15 +++++++++++++++ xen/include/xsm/xsm.h | 19 +++++++++++++++++++ xen/xsm/dummy.c | 4 ++++ xen/xsm/flask/hooks.c | 27 ++++++++++++++++++++++++--- xen/xsm/flask/policy/access_vectors | 11 +++++++++++ xen/xsm/flask/policy/security_classes | 1 + 7 files changed, 90 insertions(+), 3 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 2d2f8a8..abfc1f0 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -35,6 +35,22 @@ DEFINE_XEN_GUEST_HANDLE(xen_argo_ring_t); static bool __read_mostly opt_argo_enabled; boolean_param("argo", opt_argo_enabled); +/* Xen command line option for conservative or relaxed access control */ +bool __read_mostly argo_mac_bootparam_enforcing = true; + +static int __init parse_argo_mac_param(const char *s) +{ + if ( !strcmp(s, "enforcing") ) + argo_mac_bootparam_enforcing = true; + else if ( !strcmp(s, "permissive") ) + argo_mac_bootparam_enforcing = false; + else + return -EINVAL; + + return 0; +} +custom_param("argo_mac", parse_argo_mac_param); + struct argo_pending_ent { struct hlist_node node; diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index a29d1ef..55113c3 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -720,6 +720,21 @@ static XSM_INLINE int xsm_dm_op(XSM_DEFAULT_ARG struct domain *d) #endif /* CONFIG_X86 */ +#ifdef CONFIG_ARGO +static XSM_INLINE int xsm_argo_register_single_source(struct domain *d, + struct domain *t) +{ + return 0; +} + +static XSM_INLINE int xsm_argo_register_any_source(struct domain *d, + bool strict) +{ + return strict ? -EPERM : 0; +} + +#endif /* CONFIG_ARGO */ + #include <public/version.h> static XSM_INLINE int xsm_xen_version (XSM_DEFAULT_ARG uint32_t op) { diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h index 3b192b5..e775a6d 100644 --- a/xen/include/xsm/xsm.h +++ b/xen/include/xsm/xsm.h @@ -181,6 +181,11 @@ struct xsm_operations { #endif int (*xen_version) (uint32_t cmd); int (*domain_resource_map) (struct domain *d); +#ifdef CONFIG_ARGO + int (*argo_register_single_source) (const struct domain *d, + const struct domain *t); + int (*argo_register_any_source) (const struct domain *d); +#endif }; #ifdef CONFIG_XSM @@ -698,6 +703,20 @@ static inline int xsm_domain_resource_map(xsm_default_t def, struct domain *d) return xsm_ops->domain_resource_map(d); } +#ifdef CONFIG_ARGO +static inline xsm_argo_register_single_source(const struct domain *d, + const struct domain *t) +{ + return xsm_ops->argo_register_single_source(d, t); +} + +static inline xsm_argo_register_any_source(const struct domain *d, bool strict) +{ + return xsm_ops->argo_register_any_source(d); +} + +#endif /* CONFIG_ARGO */ + #endif /* XSM_NO_WRAPPERS */ #ifdef CONFIG_MULTIBOOT diff --git a/xen/xsm/dummy.c b/xen/xsm/dummy.c index 5701047..ed236b0 100644 --- a/xen/xsm/dummy.c +++ b/xen/xsm/dummy.c @@ -152,4 +152,8 @@ void __init xsm_fixup_ops (struct xsm_operations *ops) #endif set_to_dummy_if_null(ops, xen_version); set_to_dummy_if_null(ops, domain_resource_map); +#ifdef CONFIG_ARGO + set_to_dummy_if_null(ops, argo_register_single_source); + set_to_dummy_if_null(ops, argo_register_any_source); +#endif } diff --git a/xen/xsm/flask/hooks.c b/xen/xsm/flask/hooks.c index 96d31aa..fcb7487 100644 --- a/xen/xsm/flask/hooks.c +++ b/xen/xsm/flask/hooks.c @@ -36,13 +36,14 @@ #include <objsec.h> #include <conditional.h> -static u32 domain_sid(struct domain *dom) +static u32 domain_sid(const struct domain *dom) { struct domain_security_struct *dsec = dom->ssid; return dsec->sid; } -static u32 domain_target_sid(struct domain *src, struct domain *dst) +static u32 domain_target_sid(const struct domain *src, + const struct domain *dst) { struct domain_security_struct *ssec = src->ssid; struct domain_security_struct *dsec = dst->ssid; @@ -58,7 +59,8 @@ static u32 evtchn_sid(const struct evtchn *chn) return chn->ssid.flask_sid; } -static int domain_has_perm(struct domain *dom1, struct domain *dom2, +static int domain_has_perm(const struct domain *dom1, + const struct domain *dom2, u16 class, u32 perms) { u32 ssid, tsid; @@ -1717,6 +1719,21 @@ static int flask_domain_resource_map(struct domain *d) return current_has_perm(d, SECCLASS_DOMAIN2, DOMAIN2__RESOURCE_MAP); } +#ifdef CONFIG_ARGO +static int flask_argo_register_single_source(const struct domain *d, + const struct domain *t) +{ + return domain_has_perm(d, t, SECCLASS_ARGO, + ARGO__REGISTER_SINGLE_SOURCE); +} + +static int flask_argo_register_any_source(const struct domain *d) +{ + return avc_has_perm(domain_sid(d), SECINITSID_XEN, SECCLASS_ARGO, + ARGO__REGISTER_ANY_SOURCE, NULL); +} +#endif + long do_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); int compat_flask_op(XEN_GUEST_HANDLE_PARAM(xsm_op_t) u_flask_op); @@ -1851,6 +1868,10 @@ static struct xsm_operations flask_ops = { #endif .xen_version = flask_xen_version, .domain_resource_map = flask_domain_resource_map, +#ifdef CONFIG_ARGO + .argo_register_single_source = flask_argo_register_single_source, + .argo_register_any_source = flask_argo_register_any_source, +#endif }; void __init flask_init(const void *policy_buffer, size_t policy_size) diff --git a/xen/xsm/flask/policy/access_vectors b/xen/xsm/flask/policy/access_vectors index 6fecfda..fb95c97 100644 --- a/xen/xsm/flask/policy/access_vectors +++ b/xen/xsm/flask/policy/access_vectors @@ -531,3 +531,14 @@ class version # Xen build id xen_build_id } + +# Class argo is used to describe the Argo interdomain communication system. +class argo +{ + # Domain requesting registration of a communication ring + # to receive messages from a specific other domain. + register_single_source + # Domain requesting registration of a communication ring + # to receive messages from any other domain. + register_any_source +} diff --git a/xen/xsm/flask/policy/security_classes b/xen/xsm/flask/policy/security_classes index cde4e1a..50ecbab 100644 --- a/xen/xsm/flask/policy/security_classes +++ b/xen/xsm/flask/policy/security_classes @@ -19,5 +19,6 @@ class event class grant class security class version +class argo # FLASK -- 2.7.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |